Three interrelated high-severity safety flaws found in Kubernetes could possibly be exploited to attain distant code execution with elevated privileges on Home windows endpoints inside a cluster.
The issues, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and affect all Kubernetes environments with Home windows nodes. Fixes for the vulnerabilities had been released on August 23, 2023, following accountable disclosure by Akamai on July 13, 2023.
“The vulnerability permits distant code execution with SYSTEM privileges on all Home windows endpoints inside a Kubernetes cluster,” Akamai safety researcher Tomer Peled said in a technical write-up shared with The Hacker Information. “To use this vulnerability, the attacker wants to use a malicious YAML file on the cluster.”
Amazon Web Services (AWS), Google Cloud, and Microsoft Azure have all launched advisories for the bugs, which have an effect on the next variations of Kubelet –
- kubelet < v1.28.1
- kubelet < v1.27.5
- kubelet < v1.26.8
- kubelet < v1.25.13, and
- kubelet < v1.24.17
In a nutshell, CVE-2023-3676 permits an attacker with ‘apply’ privileges — which makes it potential to work together with the Kubernetes API — to inject arbitrary code that might be executed on distant Home windows machines with SYSTEM privileges.
“CVE-2023-3676 requires low privileges and, due to this fact, units a low bar for attackers: All they should have is entry to a node and apply privileges,” Peled famous.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive deep into the way forward for SaaS safety with Maor Bin, CEO of Adaptive Defend. Uncover why identification is the brand new endpoint. Safe your spot now.
The vulnerability, together with CVE-2023-3955, arises because of a scarcity of enter sanitization, thereby enabling a specifically crafted path string to be parsed as a parameter to a PowerShell command, successfully resulting in command execution.
CVE-2023-3893, alternatively, pertains to a case of privilege escalation within the Container Storage Interface (CSI) proxy that permits a malicious actor to acquire administrator entry on the node.
“A recurring theme amongst these vulnerabilities is a lapse in enter sanitization within the Home windows-specific porting of the Kubelet,” Kubernetes safety platform ARMO highlighted final month.
“Particularly, when dealing with Pod definitions, the software program fails to adequately validate or sanitize person inputs. This oversight allows malicious customers to craft pods with setting variables and host paths that, when processed, result in undesired behaviors, equivalent to privilege escalation.”
